Disclaimer: With the General Data Protection Regulation (GDPR) coming into effect tomorrow Friday 25 May, the information shared here is for the sole purpose of information sharing with Virtual Assistants. Please refer to the Information Commissioner’s Office in the UK for specific advice, and/or the European Commission for detailed guidance and a copy of the GDPR regulation.
Introduction – What is The General Data Protection Regulation (GDPR)?
The General Data Protection Regulation (GDPR) (EU) 2016/679 is a regulation in EU law on data protection and privacy for all individuals within the European Union. It also addresses the export of personal data outside the EU.
The GDPR aims primarily to give control to natural persons (i.e living people, citizens and residents) over their personal data and to simplify the regulatory environment for international business by unifying the regulation within the EU.
It was adopted on 14 April 2016, and after a two-year transition period, becomes enforceable on 25 May 2018. The GDPR replaces the Data Protection Act 1998 which is a United Kingdom Act of Parliament designed to protect personal data stored on computers or in an organised paper filing system and which follows the EU Data Protection Directive 1995 protection, processing and movement of data.
Because the GDPR is a regulation, not a directive, it does not require national governments to pass any enabling legislation and is directly binding and applicable.
What is Personal Data?
Personal data is defined as, data relating to a living individual who can be identified from that data and other information which is in possession of or is likely to come into the possession of the data controller and includes an expression of opinion and any indication of the intentions of the data controller, or any other person in respect of the individual.
Example of personal data:
- Identification number (e.g., national insurance number, passport number)
- Location data (e.g., home address)
- Online identifier (e.g., e-mail address, screen names, IP addresses, device IDs)
Special Category data is defined as personal data consisting of information as to:
- Racial or ethnic origin, political opinion, religious or other beliefs, trade union membership, physical or mental health or condition, sexual life
There are six privacy principles for General Data Protection Regulation compliance:
1.Lawfulness, fairness and transparency: personal data shall be processed lawfully, fairly and in a transparent manner in relation to individuals
2.Purpose limitations: you must have specific purposes for processing the data and you must indicate those purposes to individuals when collecting their personal data. You can’t simply collect personal data for undefined purposes (‘purpose limitation’).
3.Data minimisation: you must collect and process only the personal data that is necessary to fulfil that purpose
4.Accuracy: you must ensure the personal data is accurate and up-to-date, having regard to the purposes for which it’s processed, and correct it if not
5.Storage limitations: you must ensure that personal data is stored for no longer than necessary for the purposes for which it was collected
6.Integrity and confidentiality: you can’t further use the personal data for other purposes that aren’t compatible with the original purpose of collection.
What are the rights of data subjects?
The GDPR provides the following rights for individuals:
1.The right to be informed
2.The right of access
3.The right to rectification
4.The right to erasure
5.The right to restrict processing
7.The right to object
8.Rights in relation to automated decision making and profiling: Article 22 of the GDPR has additional rules to protect individuals if you are carrying out solely automated decision-making that has legal or similarly significant effects on them.
You must identify whether any of your processing falls under Article 22 and, if so, make sure that you:
- give individuals information about the processing;
- introduce simple ways for them to request human intervention or challenge a decision;
- carry out regular checks to make sure that your systems are working as intended.
Controller and Processor
- The GDPR applies to ‘controllers’ and ‘processors’.
- A controller determines the purposes and means of processing personal data.
- A processor is responsible for processing personal data on behalf of a controller.
- If you are a processor, the GDPR places specific legal obligations on you; for example, you are required to maintain records of personal data and processing activities. You will have legal liability if you are responsible for a breach.
- However, if you are a controller, you are not relieved of your obligations where a processor is involved – the GDPR places further obligations on you to ensure your contracts with processors comply with the GDPR.
**Source: Information Commissioner’s Office